How Can I Change the Local Administrator Password on All My Computers?

Hey, Scripting Guy! How can I change the local Administrator password on all the computers in my domain?

-- AO

Hey, AO. You know, according to the now-classic cartoon punch-line, “on the Internet, no one knows if you’re a dog.” To be perfectly honest, the Scripting Guy who writes this column doesn’t care if anyone thinks he’s a dog or not; in fact, that’s a step or two up from the kind of animal he’s usually associated with. Instead, his only concern is whether or not anyone knows if he’s actually working or simply making it look like he’s working. And thanks to the Internet, and to a little foresight on his part, as far as everyone knows he’s been hard at work since the middle of last week. In reality, however, he spent all that time in the city of Kennewick, WA, soaking in the sunshine and watching the Scripting Son play in the “Bandit Bash” baseball tournament.

Note. Pop quiz: Try to guess which pitcher got the win in the game that gave the Scripting Son’s team third-place in the tournament.

Oh, well, you’re right: the Scripting Son was the winning pitcher, giving up just one earned run in 5 innings. We didn’t think anyone would be able to guess that.

Unfortunately for the Scripting Guy who writes this column, however, the party’s over: the tournament is complete (although a new one starts in just two days); he no longer gets to sit around and let the Scripting Mom do all the cooking; and – to add insult to injury – he’s back at work and faced with the chore of answering another question about system administration scripting. To be perfectly honest, that’s a chore that seems way too daunting after four days of sunshine, baseball, and free food. Could this be the end of Hey, Scripting Guy! the daily column?

Wait, don’t jump: this isn’t the end of Hey, Scripting Guy! the daily column after all. Admittedly, the Scripting Guy who writes this column found it hard to get motivated this morning. But then he remembered the words his Scripting Dad told him back on his very first day of kindergarten:

“Son, someday you’re going to write a daily scripting column and you’re going to be too burned out from baseball, sunshine, and free food to face up to that responsibility. When that time comes, remember this: Active Directory search scripts are a cinch to write, and people love them. When in doubt, toss together an Active Directory search script and call it good. Everyone will be happy, and you’ll only have to put in 10, maybe 15 minutes worth of work.”

Of course, some of you might be wondering, “Why would the Scripting Dad tell his son that Active Directory search scripts are easy to write? This actually looks a little complicated to me.” Well, you’re right: this script is a little complicated. (Although most of it’s boilerplate code that can be used as-is in almost any Active Directory search script.) However, per some additional advice given by the Scripting Dad many years ago, the Scripting Guys never bother to explain the detailed workings of an Active Directory search script; instead, they simply refer people to the two-part Tales From the Script series Dude, Where’s My Printer?That’s what makes Active Directory search scripts so easy to write. At least for the Scripting Guys.

Note. Isn’t that cheating a little bit, to write a daily column that simply points people to an article that was posted several years ago? Sure it is. But that’s OK: on the Internet, no one knows that you’re cheating.

Well, unless you’re dumb enough to admit that you’re cheating. But we doubt that anyone is that dumb.

In other words, we won’t really talk about the search portion of this script; about all we’ll do is take a peek at the SQL query that returns a collection of all the computers in the fabrikam.com domain:

objCommand.CommandText = _
"Select Name From 'LDAP://DC=fabrikam,DC=com' Where objectClass='computer'"

This is actually a pretty straightforward query: we’re simply asking for the Name of each and every object in the domain, provided that the object in question has an objectClass equal to computer. As you might expect, the only objects that have an objectClass equal to computer will be computer objects.

Just like the Scripting Dad said.

After executing the query we get back a recordset consisting of all the computer accounts in the domain. In order to change the local Administrator password on each of those machines our next step is to set up a Do Until loop that runs until we reach the end of the recordset (or, if you want to show off your knowledge of scripting, until the recordset’s EOF – end-of-file—property is True):

Do Until objRecordSet.EOF

Inside the loop, we grab the value of the Name field (the property we requested in our SQL query) and assign it to a variable named strComputer; that’s what we do in this line of code:

strComputer = objRecordSet.Fields("Name").Value

Once we have the name of the first computer safely stashed away in strComputer we can then use this line of code to bind to the local Administrator account on that machine:

Set objUser = GetObject("WinNT://" & strComputer & "/Administrator")

Again, pretty simple and pretty straightforward. Just make sure that you type the WinNT provider name exactly as shown; if you type WinNT in any other manner (e.g., WINNT or winnt) the script will fail. After making the connection to the local Administrator account all you have to do is call the SetPassword method and assign the account a new password:

objUser.SetPassword "x%tY7iu8%4f"

Note. Yes, we know: we shouldn’t use the Scripting Son’s middle name as our password. But remember, this is just for demonstration purposes.

That’s all we have to do. After changing the password on the first computer we call the MoveNext method and move on to the next record in the recordset; we then repeat the process with the second computer in our collection. This continues until we’ve hit each and every computer in the domain.

Well, OK, in theory we’ll hit each and every computer in the domain. In reality, of course, you’re bound to have a few computers that are shut down, offline, or otherwise unavailable. In that case you might want to make a couple of modifications to the script. First, you might want to log each computer name and whether or not you were able to connect to that machine. One easy way to do that is to write this information to a text file; if you don’t know how to write information to a text file, then take a look at this section of the Microsoft Windows 2000 Scripting Guide.

Second, you might want to ping each computer before attempting to bind to the local Administrator account; that will enable the script to run much faster, because it won’t waste time trying to connect to a computer that isn’t even online. So how can you ping a computer before trying to connect to it? Take a look at our Multiple/Remote Computer Scripting Templates for samples.

In case you’re wondering, the Scripting Guy who writes this column grew up in Kennewick, WA and everyone in his immediate family still lives there; that’s how he managed to score free room and board during the baseball tournament. Kennewick is a nice enough town, although it’s far less famous as a town than it is as home of Kennewick Man, the name given to the remains of a prehistoric man found on the banks of the Columbia River. Kennewick Man has been a figure of considerable controversy, with numerous Native American tribes claiming the 9,300-year-old man as one of their ancestors. To date, however, courts have rejected all of these claims, based in large part – or so we’ve been told – on testimony from Peter Costantini, the oldest living Scripting Guy. Peter claims to have graduated from high school with Kennewick Man, and insists that Kennewick Man was not Native American. We’ll have to take Peter’s word on that one.